Neptune DB clusters should publish audit logs to CloudWatch Logs
Description
This control checks whether a Neptune DB cluster publishes audit logs to Amazon CloudWatch Logs. The control fails if a Neptune DB cluster doesn't publish audit logs to CloudWatch Logs. EnableCloudWatchLogsExport should be set to Audit. Amazon Neptune and Amazon CloudWatch are integrated so that you can gather and analyze performance metrics. Neptune automatically sends metrics to CloudWatch and also supports CloudWatch Alarms. Audit logs are highly customizable. When you audit a database, each operation on the data can be monitored and logged to an audit trail, including information about which database cluster is accessed and how. We recommend sending these logs to CloudWatch to help you monitor your Neptune DB clusters.
Remediation
To remediate Neptune DB clusters without audit logs enabled, you need to enable audit log export to CloudWatch Logs.
Steps
- Navigate to the Amazon Neptune console
- Select the DB cluster that needs remediation
- Click on 'Modify' to edit the cluster configuration
- In the 'Log exports' section, enable 'Audit' logs
- Configure the CloudWatch Logs group for audit logs
- Set up log retention policies as needed
- Review the logging configuration
- Apply the changes during the next maintenance window or immediately
- Verify that audit logs are being sent to CloudWatch Logs
- Test the logging functionality to ensure it's working properly